Working with Java KeyStore

You have two apps on Google Play Store. Which one from the list below that you chose to sign your apps prior to releasing them to Google Play?

  1. Sign all your apps with the same certificate
  2. Sign each app with different certificate in the same Java KeyStore (let’s simply call it KeyStore)
  3. Create a new KeyStore with new certificate for each app

Let’s say you chose the second option.

And then, someone reach out to you, wanting to buy your second app. And instead of killing it, the plan is to develop it further.

Photo by The Framed Bear on Unsplash

That means, you would need to provide the certificate (let’s call it second certificate) to sign said app, so an updated version could be published to Google Play Store. What would you do?

You’re right, this post is about answering that What would you do? question with regards to the KeyStore.

What would you do?

But first, what could you do? What are the alternatives?

  1. Send a copy of the KeyStore, along with the passphrase for the KeyStore and the second certificate. If you’re using the same passphrase for all certificates in the KeyStore, either change the passphrase for the second certificate, or change the passphrase for the rest, as well as the passphrase for the KeyStore.
  2. Create a copy of existing KeyStore, remove all certificates but the second, modify the passphrase for KeyStore, and send the modified KeyStore.

To me, it’s obvious the second option is the better one, as you only share what they need. So, how might we do that?

Copy the KeyStore

$ cp original-keystore.jks second-app-keystore.jks

Remove aliases

Certificate in KeyStore can be accessed through alias.

Unless you remember the aliases for all certificates in the KeyStore, let’s first find out what aliases existed in the KeyStore. To do this, we’re going to use a tool called keytool, which is distributed along with JDK or JRE.

$ keytool -keystore second-app-keystore.jks -list

Running that command, you will get output similar to the following.

Keystore type: JKS
Keystore provider: SUN...alias-name-1, Jan 1, 2000, PrivateKeyEntry...alias-name-2, Mar 1, 2000, PrivateKeyEntry...

To remove an alias, you can use the following.

$ keytool -keystore second-app-keystore.jks -delete -alias "alias-name-1"

Verify that the KeyStore only contains alias to second certificate by re-running the command to list the aliases provided above.

Modify passphrase

Now that you have a KeyStore that only contains the certificate you want to share, let’s wrap up everything by modifying the passphrase for the KeyStore.

$ keytool -keystore second-app-keystore.jks -storepass "$CURRENT_KEYSTORE_PASSPHRASE" -storepasswd -new "$NEW_KEYSTORE_PASSPHRASE"

By now, you should have a KeyStore, which passphrase has been modified, and only contains the certificate that’s needed by your second app buyer.

So, rephrasing the first question at the beginning of this post, what will your decision be when it comes to signing your apps prior to releasing them to Google Play?

Choose one that will render this post obsolete!

Thanks to Natalia Lionardy. 

Related Posts

Streaming Festival Disrupto Exploration and Experimentation 2020

Streaming Festival Disrupto Exploration and Experimentation 2020

Resiko Berbahaya menggunakan VPN gratisan di Laptopmu!

Resiko Berbahaya menggunakan VPN gratisan di Laptopmu!

Part II — Understanding about RuleChain

Mengenal dasar RxSwift

No Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tags